unified scheme for protecting other-resource access #604
Labels
Priority: High
Project: Cluster Reconcile
beyond simple xlate of model to K8s spec
Project: KD Admin
post-deployment admin tasks & config
Type: Enhancement
Milestone
Comments
joel-bluedata
added
Priority: High
Type: Enhancement
Project: Cluster Reconcile
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
KubeDirector has a high level of privilege, and as a kdcluster creator/editor you can ask it to do lots of things, including getting information and/or contents from other resources like secrets, configmaps, and other kdclusters. Depending on the type of resource and the kind of access we have a range of "are you allowed to do that checks" ranging from no-check, to checking the resource name prefix, to a full on SubjectAccessReview. This is confusing and makes it more probable that KD users will be allowed to do something that the deploying/configuring admin did not intend.
For the 1.0 release (or earlier) we should do a pass over this to have a more consistent scheme. Maybe "SubjectAccessReview in all cases" is the correct answer, maybe not, but let's decide.
The text was updated successfully, but these errors were encountered: